New research bolsters the often ignored advice to organizations not to pay a ransomware demanded by attackers. The report found paying a ransom to unlock systems can actually cost companies more financially than recovering data themselves in the long run.
Research conducted by Vanson Bourne and commissioned by security firm Sophos shows that ransomware victims that refused to pay a ransom reported, on average, $730,000 in recovery costs. However, organizations that did pay a ransom reported an average total cost, including the ransom, of $1.4 million, according to the report, The State of Ransomware 2020.
“Paying the ransom doubles the overall clean-up costs,” researchers wrote in the report.
Indeed, security experts and law enforcement officials have long argued that paying ransoms is a bad idea for a number of reasons. For one, it funds future endeavors by cybercriminals who receive payouts and gives them more incentive to launch more attacks.
It also can inspire other cybercriminals to mount similar attacks if they see it garners a big payout for their cohorts. The new research suggests that it literally doesn’t pay for organizations to meet cybercriminals’ ransomware demands.
Vansom Bourne polled 5,000 IT managers across 26 countries during January and February 2020, aiming to provide insight to what happens to companies after they are hit with a ransomware attack.
Fifty-one percent of those polled said they were hit with ransomware attacks in the last year, and 73 percent of those said data was encrypted in the attack.
The report shows that sometimes even paying a ransom does not guarantee a company will recover data encrypted in an attack, according to researchers. Of the respondents that said they were victims of a ransomware attack, 26 percent said they paid the ransom to recover data.
While overall, 94 percent of organizations that experienced data encrypted got it back, more than twice as many, 56 percent, recovered their data using back-ups rather than paying the ransom (26 percent). And 1 percent of companies who were hit with attacks and paid the ransom said they didn’t see their data restored after the attack, according to the report.
Private Sector Hit Harder
Though ransomware attacks in the public sector—which is believed to be one of the hardest hit by these attacks—are high profile, the report shows that actually that sector is less affected by ransomware attacks than the private sector.
Of those polled, 45 percent of public sector organizations were hit by ransomware in the last year, which was a relatively low compared to other sectors broken out by researchers. Ransomware attacks against a California city and appellate courts in Texas were among high-profile public-sector attacks in the last year.
In fact, according to the survey, the industry that suffered the most attacks in the last year were media, leisure, and entertainment companies, 60 percent of which polled in the survey said they experienced ransomware attacks.
This sector was followed by IT, technology and telecoms (56 percent); energy, oil/gas and utilities (55 percent); companies that categorized themselves as “other” (54 percent); and business and professional services (50 percent).
Cloud Data Vulnerable to Ransomware
The report also outlined technology and demographic trends that pointed to whether a company is more likely or not to be hit with a ransomware attack as well as how well they could mitigate attacks’ effects.
Data on the public cloud seems more susceptible to attacks than data hosted on premises, according to the research. Of the 73 percent of respondents who said their data had been encrypted in a ransomware attack, those who had at least some data in the public cloud were included in six out of 10 reported successful attacks, the report showed.
Organizations in some geographic regions also demonstrated more success in stopping ransomware attacks before they could encrypt data, according to the report. At the top end of the success rate were organizations in Turkey, with 51 percent in stopping attacks before encryption, followed by Spain (44 percent), Italy (38 percent), and Brazil (36 percent).
At the bottom end, organizations in Japan had the least success in mitigating attacks before encryption, with only 5 percent of companies able to do so, followed by India and Sweden (8 percent); Nigeria (11 percent); and Australia, Malaysia, France and the Czech Republic (17 percent).
“Reasons for this global variation could include differing levels of awareness of both the prevalence of ransomware and the likelihood of being hit, which in turn could result in differing levels of anti-ransomware specific defenses,” researchers wrote.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.